what i do not understand is why people think screaming to the choir will
make any significant difference?
Think about it. Would you rather nobody make a big deal about it and have
it go unpatched lots of places, and have nobody understand what a monumental
train wreck this all is, or would it be better that people take some notice,
and have resources like NANOG available to help them make the case about
how this needs to be patched, and also just how much we all need DNSSEC?
Sometimes the only thing you can do is scream at the choir, but if that can
make even a small difference, why not?
And Paul's absolutely correct, this is not something where we can afford to
let that happen. You will be affected regardless, whether it is because
your customers are relying on an answer provided by a nameserver somewhere
else in the infrastructure that has been corrupted, or whatever. And
patching does not appear to guarantee invulnerability (eek!)
The Really Scary Possibilities (at least the one that really frightens me)
Have Not Been Discussed On This List.
> what i do not understand is why people think screaming to the choir will
> make any significant difference?
And Paul's absolutely correct, this is not something where we can afford to
let that happen.
Paul is correct if you work from his point of view. there
are other pov where the frantic energy expenditure might be
better spent. If you -must- patch, try patching w/ code that
is -not- vulnerable... unbound has been reported as being "safe"
if properly configured. So that was my patch profile.
actually, i think this is a whole lot of effort for what is
essentually a diversion tactic. Why you ask?
And patching does not appear to guarantee invulnerability (eek!)
there you go. the massive effort to patch would likley have
better been spent to actually -sign- the stupid zones and
work out key distribution. but no... running around like
the proverbial headless chicken seems to get the PR.
The real value in this frantic exercise was pointed out by Roy
Arends... the number of folks who now have (possibly) DNSSEC aware
code in play is much higher than last month.
The Really Scary Possibilities (at least the one that really frightens me)
Have Not Been Discussed On This List.
true enough. and that is a good thing.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
Maybe someone could publish a blacklist of vulnerable recursive
name servers, and then F-Root, the other root name servers,
and other "popular" sites could start refusing to answer queries
from vunerable name servers until after the blacklist operator decides they've patched their recursive server sufficiently?
Maybe that would get their attention and encourage them to apply
resources to the problem?
Extreme situations justify extreme measures; or how extreme do
you believe justifies what measures?
Outdated and insecure IOS
Outdated and insecure SSH
Outdated and insecure Unix implementations
Spam appliancesOutdated OS images everywhere
Outdated and insecure dns
Outdated and insecure proxies
Outdated and insecure mysql, php, etc
Richard Stallman for rms/rms
One worthy example of leadership related to this current issue is RCN.
They apparently scanned their customer networks for this vuln and
called the vulnerable customer advising them of the problem and
politely requesting a fix.
Reinforces why full disclosure is better as well. Who got the early
warnings? Better yet, who didn't?